In short, the MD5 signature for the Portable tarball in the release notes
is wrong. The correct signature is:

7b36f28fc16e1b7f4ba3c1dca191ac92 openssh-4.0p1.tar.gz

There was a last-minute compile fix which require a re-rolling of the
release tarballs.

I have confirmed that the signature in the release notes matches the
signature for the tarball without that fix, that the the tarball on the
FTP site contains the fix and that the only difference between the two is
the aforementioned fix. I have also confirmed a good gpg signature from
djm.